@lenne.tech/nest-server 11.10.0 → 11.10.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.10.0",
+  "version": "11.10.2",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -80,7 +80,7 @@
   "dependencies": {
     "@apollo/server": "5.2.0",
     "@as-integrations/express5": "1.1.2",
-    "@better-auth/passkey": "^1.4.16",
+    "@better-auth/passkey": "1.4.16",
     "@getbrevo/brevo": "3.0.1",
     "@nestjs/apollo": "13.2.3",
     "@nestjs/common": "11.1.9",
@@ -98,7 +98,7 @@
     "@tus/server": "2.3.0",
     "apollo-server-core": "3.13.0",
     "bcrypt": "6.0.0",
-    "better-auth": "^1.4.16",
+    "better-auth": "1.4.16",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.3",
     "compression": "1.8.1",

package/src/core/modules/auth/guards/auth.guard.ts

@@ -1,10 +1,14 @@
 import { CanActivate, ExecutionContext, Logger, mixin, Optional } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
 import { GqlExecutionContext } from '@nestjs/graphql';
 import { AuthModuleOptions, Type } from '@nestjs/passport';
 import { defaultOptions } from '@nestjs/passport/dist/options';
 import { memoize } from '@nestjs/passport/dist/utils/memoize.util';
 import passport = require('passport');
 
+import { BetterAuthTokenService } from '../../better-auth/better-auth-token.service';
+import { BetterAuthenticatedUser } from '../../better-auth/better-auth.types';
+import { CoreBetterAuthService } from '../../better-auth/core-better-auth.service';
 import { AuthGuardStrategy } from '../auth-guard-strategy.enum';
 import { ExpiredRefreshTokenException } from '../exceptions/expired-refresh-token.exception';
 import { ExpiredTokenException } from '../exceptions/expired-token.exception';
@@ -21,7 +25,7 @@ const NO_STRATEGY_ERROR =
  * Interface for auth guard
  */
 export type IAuthGuard = CanActivate & {
-  handleRequest<TUser = any>(err, user, info, context): TUser;
+  handleRequest<TUser = any>(err: Error | null, user: any, info: any, context: ExecutionContext): TUser;
 };
 
 /**
@@ -29,39 +33,82 @@ export type IAuthGuard = CanActivate & {
  * @param request
  * @param response
  */
-const createPassportContext = (request, response) => (type, options, callback: (...params) => any) =>
-  new Promise((resolve, reject) =>
-    passport.authenticate(type, options, (err, user, info) => {
-      try {
-        request.authInfo = info;
-        return resolve(callback(err, user, info));
-      } catch (err) {
-        reject(err);
-      }
-    })(request, response, (err) => (err ? reject(err) : resolve)),
-  );
+const createPassportContext =
+  (request: any, response: any) => (type: any, options: any, callback: (...params: any[]) => any) =>
+    new Promise((resolve, reject) =>
+      passport.authenticate(type, options, (err: any, user: any, info: any) => {
+        try {
+          request.authInfo = info;
+          return resolve(callback(err, user, info));
+        } catch (err) {
+          reject(err);
+        }
+      })(request, response, (err: any) => (err ? reject(err) : resolve(undefined))),
+    );
 
 /**
  * Extension of AuthGuard to get context in handleRequest method
  * See: https://github.com/nestjs/passport/blob/master/lib/auth.guard.ts
  *
+ * MULTI-TOKEN SUPPORT:
+ * This guard supports multiple authentication strategies:
+ * 1. JWT (Legacy Auth) - Uses Passport JWT strategy
+ * 2. JWT_REFRESH (Legacy Auth) - Uses Passport JWT refresh strategy
+ * 3. BETTER_AUTH (IAM) - Uses BetterAuthTokenService directly (no Passport)
+ *
+ * For BETTER_AUTH strategy:
+ * - First checks if user is already authenticated via middleware (_authenticatedViaBetterAuth)
+ * - If not, validates the token via BetterAuthTokenService (JWT or session token)
+ * - Loads the full user from MongoDB with hasRole() capability
+ *
  * Can be removed when pull request is merged:
  * https://github.com/nestjs/passport/pull/66
  */
 function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAuthGuard> {
   class MixinAuthGuard<TUser = any> {
+    private readonly logger = new Logger('AuthGuard');
+    private betterAuthService: CoreBetterAuthService | null = null;
+    private tokenService: BetterAuthTokenService | null = null;
+    private servicesResolved = false;
+
     /**
      * Integrate options
      */
-    constructor(@Optional() protected readonly options?: AuthModuleOptions) {
+    constructor(
+      @Optional() protected readonly options?: AuthModuleOptions,
+      @Optional() private readonly moduleRef?: ModuleRef,
+    ) {
       this.options = this.options || {};
       if (!type && !this.options.defaultStrategy) {
-        new Logger('AuthGuard').error(NO_STRATEGY_ERROR);
+        this.logger.error(NO_STRATEGY_ERROR);
       }
     }
 
     /**
-     * Integrate options
+     * Lazily resolve BetterAuth services
+     */
+    private resolveServices(): void {
+      if (this.servicesResolved || !this.moduleRef) {
+        return;
+      }
+
+      try {
+        this.betterAuthService = this.moduleRef.get(CoreBetterAuthService, { strict: false });
+      } catch {
+        // BetterAuth not available - that's fine for JWT-only setups
+      }
+
+      try {
+        this.tokenService = this.moduleRef.get(BetterAuthTokenService, { strict: false });
+      } catch {
+        // BetterAuthTokenService not available
+      }
+
+      this.servicesResolved = true;
+    }
+
+    /**
+     * Check if user can activate the route
      */
     async canActivate(context: ExecutionContext): Promise<boolean> {
       const args = context.getArgs();
@@ -84,16 +131,81 @@ function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAu
         return true;
       }
 
-      // Proceed with Passport authentication
+      // For BETTER_AUTH strategy, use BetterAuthTokenService directly (no Passport)
+      if (type === AuthGuardStrategy.BETTER_AUTH) {
+        return this.handleBetterAuthStrategy(context, request, options);
+      }
+
+      // Proceed with Passport authentication for other strategies
       const response = context?.switchToHttp()?.getResponse();
       const passportFn = createPassportContext(request, response);
-      const user = await passportFn(type || this.options.defaultStrategy, options, (err, currentUser, info) =>
+      const user = await passportFn(type || this.options?.defaultStrategy, options, (err: any, currentUser: any, info: any) =>
         this.handleRequest(err, currentUser, info, context),
       );
       request[options.property || defaultOptions.property] = user;
       return true;
     }
 
+    /**
+     * Handle BETTER_AUTH strategy authentication.
+     * Validates tokens via BetterAuthTokenService without using Passport.
+     */
+    private async handleBetterAuthStrategy(
+      context: ExecutionContext,
+      request: any,
+      options: AuthModuleOptions,
+    ): Promise<boolean> {
+      // Resolve services lazily
+      this.resolveServices();
+
+      if (!this.betterAuthService?.isEnabled()) {
+        this.logger.warn('BETTER_AUTH strategy used but BetterAuth is not enabled');
+        throw new InvalidTokenException();
+      }
+
+      // Try to validate token via BetterAuthTokenService
+      const user = await this.verifyBetterAuthToken(request);
+
+      if (!user) {
+        throw new InvalidTokenException();
+      }
+
+      // Validate through handleRequest and set user on request
+      const validatedUser = this.handleRequest(null, user, null, context);
+      request[options.property || defaultOptions.property] = validatedUser;
+      return true;
+    }
+
+    /**
+     * Verify BetterAuth token (JWT or session) and load the corresponding user.
+     *
+     * Delegates to BetterAuthTokenService for token verification and user loading.
+     *
+     * @param request - HTTP request object
+     * @returns User object if verification succeeds, null otherwise
+     */
+    private async verifyBetterAuthToken(request: any): Promise<BetterAuthenticatedUser | null> {
+      if (!this.tokenService) {
+        return null;
+      }
+
+      try {
+        // Extract token from request
+        const { token } = this.tokenService.extractTokenFromRequest(request);
+        if (!token) {
+          return null;
+        }
+
+        // Verify token and load user
+        return await this.tokenService.verifyAndLoadUser(token);
+      } catch (error) {
+        this.logger.debug(
+          `BetterAuth token verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        );
+        return null;
+      }
+    }
+
     /**
      * Prepare request
      */
@@ -104,7 +216,9 @@ function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAu
         if (ctx?.req) {
           return ctx.req;
         }
-      } catch (e) {}
+      } catch {
+        // GraphQL context not available
+      }
 
       // Else return HTTP request
       return context && context.switchToHttp() ? context.switchToHttp().getRequest() : null;
@@ -113,16 +227,15 @@ function createAuthGuard(type?: AuthGuardStrategy | string | string[]): Type<IAu
     /**
      * Login for session handling
      */
-    async logIn<TRequest extends { logIn: (...params) => any } = any>(request: TRequest) {
-      const user = request[this.options.property || defaultOptions.property];
-      await new Promise<void>((resolve, reject) => request.logIn(user, (err) => (err ? reject(err) : resolve())));
+    async logIn<TRequest extends { logIn: (...params: any[]) => any } = any>(request: TRequest) {
+      const user = request[this.options?.property || defaultOptions.property];
+      await new Promise<void>((resolve, reject) => request.logIn(user, (err: any) => (err ? reject(err) : resolve())));
     }
 
     /**
      * Process request
      */
-    // eslint-disable-next-line unused-imports/no-unused-vars
-    handleRequest(err, user, info, context): TUser {
+    handleRequest(err: Error | null, user: any, info: any, _context: ExecutionContext): TUser {
       if (err) {
         throw new InvalidTokenException();
       }